May 5 was a dark and stormy day for Merrill Lynch. It was a particularly bleak day for the Global Electronic Messaging Team because that was the day members were forced to do what they hate to do: watch scores of lights flicker out as they shut down hundreds of Microsoft Exchange servers, all thanks to their digital hearts being broken by the LoveLetter e-mail virus.
Why is it so traumatic when viruses manage to scale the corporate wall? Because when those server lights go out, money goes up in smoke. Although Kimberly Scott who is vice president of Enterprise Project Management, a division of Merrill Lynch's Enterprise Technology Services; declined to say how much the LoveLetter virus cost the financial brokerage house, analysts say the price of lost time and productivity brought tears to many corporate eyes following LoveLetter. All told, the virus, which hit hundreds of organisations, cost corporations more than US$700 million, according to ICSA.net, an affiliate of Gartner Group, in Stamford.
And that was one heartbreak Merrill Lynch, which has offices in 44 countries, didn't care to repeat.
While many companies shored up their anti-virus scanning software following the outbreak of the virus, Merrill Lynch took a different route, looking for new technologies that would keep malicious e-mail-borne viruses from breaching its computing environment in the first place. Merrill Lynch is implementing behavioral anti-virus scanning software on its Exchange servers to protect desktops and PDAs (personal digital assistants) from attack. But beyond technical approaches, it is also educating its 75,000 employees on the behavior of malicious e-mail viruses and how to protect themselves from them. For example, the Global Electronic Messaging Team warns users that even with Symantec's Norton Anti-Virus and Network Associates's McAfee products running on their desktops, they need to be careful with attachments.
That type of defense, addressing security strategy technical and behavioral levels, is the right move, experts say, and it's one many companies are beginning to take. "The Love Bug prompted many companies to look for new anti-virus alternatives," said Jan Sundgren, an analyst with Giga Information Group, in Chicago." behavioral anti-virus solutions provide a reasonable option for companies that want an extra margin of security."
Nowadays, corporations need all the extra margin of security they can get. In this era of e-business, where viruses can spread in minutes, the old rules for protecting computers from viruses don't apply anymore. After all, long gone are the days when it took months for a virus to spread via floppy disks.
Of course, with client assets of US$1.8 trillion to protect, security is a primary concern at Merrill Lynch. Because Merrill Lynch suspected LoveLetter copycats were on their way, the company knew it needed to find a product that fit all of the company's needs and install it fast.
Merrill Lynch, like many other com panies, turned to a breed of virus-protection products that, unlike traditional scanning technologies, can proactively evaluate the behavior of code coming from the Internet. Before end users have a chance to release code into local networks, such products lock it away from critical network resources with a capability called sandbagging.
At Merrill Lynch, that means evaluating code coming into some 85,000 Microsoft Outlook e-mail boxes. Companywide, there are two e-mail environments: one for private, high-net-worth clients and one for corporate, high-net-worth clients. The two environments are joined through SMTP.
While the company's anti-virus scanning software worked, Scott was concerned about MAPI (Messaging API)-based delivery solutions, since they can scan and raise alerts for only 64,000 simultaneous e-mail messages. It's message No. 64,001 that was keeping Scott awake at night, since it could slip by MAPI and infect the organisation.
With LoveLetter propagating at lightning speed on May 5, Merrill Lynch was bombarded by infected messages that eventually exceeded that 64,000 limit.
"We're talking about hundreds, if not thousands, of milliseconds in time it took us to go over 64,000 messages being scanned," Scott said. "But we found ourselves in a position where we ... were at that limit and couldn't clean the viruses as fast as they were propagating."
Reluctant to rely again on MAPI-based anti-virus software, Merrill Lynch chose Sybari Software's Antigen product, which protects inbound and outbound SMTP mail at Exchange's IMS (Internet Mail Service) connector. Rather than rely on MAPI, the product scans Merrill Lynch's e-mail messages from the Internet before they're delivered to the Exchange Information Store. Vendors such as Aladdin Knowledge Systems Ltd., Finjan Software Ltd. and Pelican Security provide similar tools. If an infected attachment is sent to Merrill Lynch, Antigen pulls it out of the message and sends it to a scanning engine to be cleaned. The process takes seconds and is unnoticeable to the message recipient, Scott said.
In the three weeks following LoveLetter, the Global Electronic Messaging Team tested the Antigen software, running it on production servers. The team wanted to ensure that no viruses were allowed through and that none of her customers Merrill Lynch employees would notice any delay in mail delivery.
Merrill Lynch was able to deploy Antigen in six weeks using remote installation for its private client environment, which has 25,000 users in 750 locations. Scott said she has seen 100 percent protection. In addition, Scott said Sybari was able to protect PDAs running Outlook from the Liberty Crack Trojan horse that infected Palm-based devices in August. The company has begun to deploy the product for its corporate environment and expects to be finished this month.
But the Global Electronic Messaging Team's work didn't stop after implementation of Antigen. It customised the software so that IT and the sender and receiver of a message will be notified of a virus. It's all part of Merrill Lynch's efforts to educate users on e-mail security and make sure they understand that, despite strong technical walls, they still need to be careful with attachments.
Although Antigen has kept Merrill Lynch safe so far, Scott knows hackers are launching increasingly sophisticated attacks on the Internet. For example, hackers are working on Trojan horse programs using VBScript and embedding them into HTML e-mail.
Those types of attacks are scary enough to keep any IT manager awake at night. Even inside her newly fortified castle, Scott remains cautious. But one thing's for sure: She's determined never again to see those Exchange lights go dim.
